Process Automation: Getting Started

Compliance officers, risk managers, IT executives: they all talk about automating compliance processes constantly, and for good reason. Most compliance processes are tedious pains in the neck.

In fact, compliance departments aren’t the only ones eager to embrace automation. The idea has a catchy name — robotic process information, since “bots” will handle all that tedious work — and it promises to be one of the major IT innovations of the next five to 10 years.

So what does that mean for compliance executives, who often come from a legal background without much experience in technology? How do you get process automation started, rather than an IT executive telling you how it will go?

First, look at the tasks that need doing. Anything repetitive, done by a large number of employees or third parties over and over, might be a candidate for process automation. The determinant is how much judgment is involved, versus processes that unfold according to a series of rules. The more some task is the latter, rather than the former, the better a candidate it is for automation.

So for example, screening third parties for politically exposed persons is an obvious automation target. Many compliance programs already do automate screening in some manner.

Beyond that, however, you can also ask: what happens after your screening gives a result? If you have a policy that all third parties with PEPs or other high-risk executives must get extra training — well, that’s a rules-based step. A bot spitting out those training alerts is possible, too.

That said, you also need to look at what should not be automated. Your policy for third party due diligence might also include a clause rejecting parties with PEPs or high-risk executives; or it might call for those parties to submit to an intrusive anti-corruption audit.

Delivering that news via automated email alert might not be the wisest idea, especially if the third party is influential in your industry or region. A human being should deliver news like that, with appropriate tact and finesse.

That’s a simple example, I know, but it makes a larger, important point about process automation. You, the compliance officer overseeing the process, need to sort out the correct blend of technology automation and human participation.

A strong compliance program is a collection of many processes; not all of them will be automated in the same way or to the same extent. And in the fullness of time, when you do say, “I want to automate steps X, Y, and Z” — that won’t be the hard part. Artificial intelligence will be here soon enough, and it will be able to take data generated from one task and drop it somewhere else to complete another task. That’s robotic process automation.

But successful ethics and compliance is ultimately about judgment: making difficult decisions in the face of complex circumstances, rooted in a company’s core culture and ethical values. Entrust those moments to a software algorithm, and you’re sunk.

Thankfully, the hard, judgment-based work usually comes at the beginning of building a compliance program; or at the end, when you need to enforce a tough call.

There’s still plenty of process between those two points, and you can automate plenty of it.

Building a comprehensive structure for your compliance program is essential to effectively and efficiently mitigate risk. And while risks vary from one company to another based on industry, location, and partners – thereby disqualifying any one-size-fits-all compliance program – the underlying structure of a program can, to a reasonable extent, be broken down into a set of components.